Digging a little deeper into Windows 8 Primary Computer

Hi folks, Ned here again to talk more about the Primary Computer feature introduced in Windows 8. Sharp-eyed readers may have noticed this lonely beta blog post and if you just want a set-by-step guide to enabling this feature, TechNet does it best. Today I am going to fill in some blanks and make sure the feature’s architecture and usefulness is clear. At least, I’m going to try.

Onward!

Backgrounder and Requirements

Businesses using Roaming User Profiles, Offline Files and Folder Redirection have historically been limited in controlling which computers cache user data. For instance, while there are group policies to assign roaming profiles on a per computer basis, they affect all users of that computer and are useless if youassign roaming profiles through legacy user attributes.

Windows 8 introduces a pair of new per-user AD DS attributes to specify a “primary computer.” The primary computer is the one directly assigned to a user – such as their laptop, or a desktop in their cubicle – and therefore unlikely to change frequently. We refer to this as “User-Device Affinity”. That computer will allow them to store roaming user data or access redirected folder data, as well as allow caching of redirected data through offline files. There are three main benefits to using Primary Computer:

When a user is at a kiosk, using a conference room PC, or connecting to the network from a home computer, there is no risk that confidential user data will cache locally and be accessible offline. This adds a measure of security.

Unlike previous operating systems, an administrator now has the ability to control computers that will not cache data, regardless of the user’s AD DS profile configuration settings.

The initial download of a profile has a noticeable impact on logon performance; a brand new Windows 8 user profile is ~68MB in size, and that’s before it’s filled with “Winter is coming” meme pics. Since a roaming profile and folder redirection no longer synchronously cache data on the computer during logon, a user connecting from a temporary or home machine logs on considerably faster.

By assigning computer(s) to a user then applying some group policies, you ensure data only roams or caches where you want it.

Yoink, stolen screenshot from a much better artist

Primary Computer has the following requirements:

Windows 8 or Windows Server 2012 computers used for interactive logon

Windows Server 2012 AD DS Schema (but not necessarily Win2012 DCs)

Group Policy managed from Windows 8 or Windows Server 2012 GPMC

Some mechanism to determine each user’s primary computer(s)

Determining Primary Computers

There is no attribute in Active Directory that tracks which computers a user logs on to, much less the computers they log on to the most frequently. There are a number of out of band options to determine computer usage though:

System Center Configuration Manager – SCCM has built in functionality to determine the primary users of computers, as part of its “Asset Intelligence” reporting. You can read more about this feature in SCCM 2012 and 2007 R2. This is the recommended method as it’s the most comprehensive and because I like money.

Collecting 4624 events – the Security event log Logon Event 4624 with a Logon Type 2 delineates where a user logged on interactively. By collecting these events using some type of audit collection service or event forwarding, you can build up a picture of which users are logging on to which computers repeatedly.

Logon Script – If you’re the fancy type, you can create a logon script that writes a user’s computer to a centralized location, such as on their own AD object. If you grant inherited access for SELF to update (for instance) the Comment attribute on all the user objects, each user could use that attribute as storage. Then you can collect the results for a few weeks and create a list of computer usage by user.

For example, this rather hokey illustration VBS runs as a logon script and updates a user’s own Comment attribute with their computer’s distinguished name, only if it has changed from the previous value:

Set objSysInfo = CreateObject(“ADSystemInfo”)

Set objUser = GetObject(“LDAP://” & objSysInfo.UserName)

Set objComputer = GetObject(“LDAP://” & objSysInfo.ComputerName)

strMessage = objComputer.distinguishedName

if objUser.Comment = StrMessage then wscript.quit

objUser.Comment = strMessage

objUser.SetInfo

A user may have more than one computer they logon to regularly though and if that’s the case, an AD attribute-based storage solution is probably not the right answer unless the script builds a circular list with a restricted number of entries and logic to ensure it does not update with redundant data. Otherwise, there could be excessive AD replication. Remember, this is just a simple example to get the creative juices flowing.

PsLoggedOn – you can script and run PsLoggedOn.exe (a Windows Sysinternals tool) periodically during the day for all computers over the course of several weeks. That would build, over time, a list of which users frequent which computers. This requires remote registry access through the Windows Firewall.

Third parties – there are SCCM/SCOM-like vendors providing this functionality. I don’t have details but I’m sure they have a salesman who wants a new German sports sedan and will be happy to bend your ear.

Setting the Primary Computer

As I mentioned before, look at TechNet for some DSAC step-by-step for setting the msDS-PrimaryComputer attribute and the necessary group policies. However, if you want to use native Windows PowerShell instead of our interesting out of band module, here are some more juice-flow inducing samples.

The ActiveDirectory Windows PowerShell module get-adcomputer and set-aduser cmdlets allow you to easily retrieve a computer’s distinguished name and assign it to the user’s primary computer attribute. You can use assigned variables for readability, or with nested functions for simplicity.

Variable

<$variable> = get-adcomputer <computer name>

Set-aduser <user name> -add @{‘msDS-PrimaryComputer’=”<$variable>“}

For example, with a computer named cli1 and a user name stduser:

Nested

Other techniques

If you use AD DS to store the user’s last computer in their Comment attribute as part of a logon script – like described in the earlier section – here is an example that reads the stduser attribute Comment and assigns primary computer based on the contents:

If you wanted to assign primary computers to all of the users within the Foo OU based on their comment attributes, you could use this example:

If you have a CSV file that contains the user accounts and their assigned computers as DNs, you can use the import-csv cmdlet to update the users. For example:

This is particularly useful when you have some asset history and assign certain users specific computers. Certainly a good idea for insurance and theft prevention purposes, regardless.

Cached Data Clearing GP

Enabling Primary Computer does not remove any data already cached on other computers that a user does not access again. I.e. if a user was already using Roaming User Profiles or Folder Redirection (which, by default, automatically adds all redirected shell folders to the Offline Files cache), enabling Primary Computer means only that further data is not copied locally to non-approved computers.

In the case of Roaming User Profiles, several policies can clear data from computers at logoff or restart:

Delete user profiles older than a specified number of days on system restart – this deletes unused profiles after N days when a computer reboots

Delete cached copies of roaming profiles – this removes locally saved roaming profiles once a user logs off. This policy would also apply to Primary Computers and should be used with caution

In the case of Folder Redirection and Offline Files, there is no specific policy to clear out stale data or delete cached data at logoff like there is for RUP, but that’s immaterial:

When a computer needs to remove FR after to becoming “non-primary” – due to the primary computer feature either being enabled or the machine being removed from the primary computer list for the user – the removal behavior will depend on how the FR policy is configured to behave on removal. It can be configured to either:

Redirect the folder back to the local profile – the folder location sets back to the default location in the user’s profile (e.g., c:\users\%USERNAME%\Documents), the data copies from the file server to the local profile, and the file server location is unpinned from the computer’s Offline Files cache

Leave the folder pointing to the file server –the folder location still points to the file server location, but the contents are unpinned from the computer’s Offline Files cache. The folder configuration is no longer controlled through policy

In both cases, once the data is unpinned from the Offline Files cache, it will evict from the computer in the background after 15 minutes.

Logging Primary Computer Usage

To see that the Download roaming profiles on primary computers only policy took effect and the behavior at each user logon, examine the User Profile Service operational event log for Event 63. This will state either “This computer is a primary computer for this user” or “This computer is not a primary computer for this user”:

The new User Profile Service events for Primary Computer are all in the Operational event log:

Event ID

62

Severity

Warning

Message

Windows was unable to successfully evaluate whether this computer is a primary computer for this user. This may be due to failing to access the Active Directory server at this time. The user’s roaming profile will be applied as configured. Contact the Administrator for more assistance. Error: %1

Notes and resolution

Indicates an issue contacting LDAP on a domain controller. Examine the extended error, examine System and Application event logs for further details, consider getting a network capture if still unclear

Event ID

63

Severity

Informational

Message

This computer %1 a primary computer for this user

Notes and resolution

This event’s variable will change from “IS” to “IS NOT” depending on circumstances. It is not an error condition unless this is unexpected to the administrator. A customer should interrogate the rest of the IT staff on the network if not expecting to see these events

Event ID

64

Severity

Informational

Message

The primary computer relationship for this computer and this user was not evaluated due to %1

Notes and resolution

Examine the extended error for details.

To see that the Redirect folders on primary computers only policy took effect and the behavior at each user logon, examine the Folder Redirection operational event log for Event 1010. This will state “This computer is not a primary computer for this user” or if it is (good catch, Johan from Comments)

Architecture

Primary Computer is a client-side feature; no matter what you configure in Active Directory or group policy on domain controllers, Windows 7, Windows Server 2008 R2, and older family computers will not obey the settings.

AD DS Schema

Attribute

Explanation

msDS-PrimaryComputer

The primary computers assigned to a user or a security group containing users. Contains a multi-valued linked-value distinguished names that references the msDS-isPrimaryComputerFor backlink on a computer object

msDS-isPrimaryComputerFor

The users assigned to a computer account. Contains a multi-valued linked-value distinguished names that references the msDS-PrimaryComputer forward link on a user object

Processing

The processing of this new functionality is:

Look at Group Policy setting to determine if the msDS-PrimaryComputer attribute in Active Directory should influence the decision to roam the user’s profile or apply Folder Redirection.

If step 1 is TRUE, initialize an LDAP connection and bind to a domain controller

Check for the required schema version

Query for the “msDS-IsPrimaryComputerFor” attribute on the AD object representing the current computer

Check to see if the current user is in the list returned by this attribute or in the group returned by this attribute and if so, return TRUE for IsPrimaryComputerForUser. If no match is found, return FALSE for IsPrimaryComputerForUser

If step 5 is FALSE:

For RUP, an existing cached local profile should be used if present. If there is no local profile for the user, a new local profile should be created

For FR, if Folder Redirection previously applied, the Folder Redirection configuration removes according to the removal action specified by the previously applied policy (this is retained in the local FR configuration). If there is no current FR configuration, there is no work to be done

Troubleshooting

Because this feature is both new and simple, most troubleshooting is likely to follow this basic workflow when Primary Computer is not working as expected:

User assigned the correct computer distinguished name (or in the security group assigned the computer DN)

AD DS replication has converged for the user and computer objects

AD DS and SYSVOL replication has converged for the Primary Computer group policies

Primary Computer group policies applying to the computer

User has logged off and on since the Primary Computer policies applied

The logs of note for troubleshooting Primary Computer are:

Log

Notes and Explanation

Gpresult/GPMC RSoP Report

Validates that Primary Computer policy is applying to the computer or user

Group Policy operational Event log

Validates that group policy in general is applying to the computer or user with specific details

System Event Log

Validates that group policy in general is applying to the computer or user with generalities

Application Event log

Validates that Folder Redirection and Roaming User Profiles are working with generalities and specific details

Folder Redirection operational event log

Validates that Folder Redirection is working with specific details

User Profile Service operational event log

Validates that Roaming User Profile is working with specific details

Fdeploy.log

Validates that Folder Redirection is working with specific details

Cases reported by your users or help desk as Primary Computer processing issues are more likely to be AD DS replication, SYSVOL replication, group policy, folder redirection, or roaming user profile issues. Determine immediately if Primary Computer is at all to blame, then move on to the more likely historical culprits. Watch for red herrings!

Likewise, your company may not be internally aware of Primary Computer deployments and may send you down a rat hole troubleshooting expected behavior. Always ensure that a “problem” with folder redirection or roaming user profiles isn’t just another group within the customer’s company configuring Primary Computer and not telling you (this applies to you too; send a memo, dangit!).

Nice feature! Prior to SCCM, I implemented a logon script to track the last 10 computers a user logs into and the last 10 users that log into a computer by providing access to an attribute which we extended the schema for (hurray!)